Hi all, My actual blacklist is so hudge, "time shorewall restart" is about 80mins. Another way to restart fast is to process via multiples "shorewall reject" after shorewall is restarted with an empty blacklist but theses rules are not added to blacklist chain..just rejected. Can shorewall do that ? ciao'' mathieu --
mollo wrote:> Hi all, > > My actual blacklist is so hudge, "time shorewall restart" is about > 80mins. > > Another way to restart fast is to process via multiples "shorewall > reject" after shorewall is restarted with an empty blacklist but theses > rules are not added to blacklist chain..just rejected.''shorewall reject'' adds to the ''dynamic chain'' which may be saved using the ''shorewall save'' command. As I''ve said before several times on this list, using huge blacklists with Shorewall just isn''t a very smart thing to do. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
On Tue, 11 May 2004 08:29:45 -0700 Tom Eastep <teastep@shorewall.net> wrote: Hi> ''shorewall reject'' adds to the ''dynamic chain'' which may be saved using > the ''shorewall save'' command. > > As I''ve said before several times on this list, using huge blacklists > with Shorewall just isn''t a very smart thing to do. >Except the load time, nothing bad is appeared.. #iptables -n -L blacklst | wc 23512 258619 2386357 That''s okay Tom, but is there any way to have the log drop disposition with any saved file. Else I dont think it''s a good idea to add my own IPTABLES rules, outside shorewall control.. Thanks Mathieu --
mollo wrote:> On Tue, 11 May 2004 08:29:45 -0700 > Tom Eastep <teastep@shorewall.net> wrote: > > Hi > > >>''shorewall reject'' adds to the ''dynamic chain'' which may be saved using >>the ''shorewall save'' command. >> >>As I''ve said before several times on this list, using huge blacklists >>with Shorewall just isn''t a very smart thing to do. >> > > > Except the load time, nothing bad is appeared.. > > #iptables -n -L blacklst | wc > 23512 258619 2386357 > > That''s okay Tom, but is there any way to have the log drop disposition > with any saved file. >Read my resonse again (hint "shorewall save") -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Tom Eastep wrote:>> >> >> Except the load time, nothing bad is appeared.. >> >> #iptables -n -L blacklst | wc >> 23512 258619 2386357This means that each successful new connection from the net must traverse 23512 rules!!!!>> >> That''s okay Tom, but is there any way to have the log drop disposition >> with any saved file. >> > > Read my resonse again (hint "shorewall save") >But be warned that the dynamic blacklist is traversed for *every* new connections, not just those from the net. There was also a thread on the list a while back where I outlined how the blacklist could be loaded *after* "shorewall start" had completed. You might be able to take that approach to get your firewall up quicker. Finally, in Shorewall 2.0.2 the ''save'' command also creates a script for restoring Shorewall to its current state quickly (although with 23512 extra rules, it is unclear just how "quick" it will be). So if your blacklist doesn''t change very often, that might be an approach. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
On Tue, 11 May 2004 09:40:07 -0700 Tom Eastep <teastep@shorewall.net> wrote: Hi Tom,> > This means that each successful new connection from the net must > traverse 23512 rules!!!!Yep and thanks to Harald Weld there is no side effect.> > But be warned that the dynamic blacklist is traversed for *every* new > connections, not just those from the net.Almost good for blocking spyware installed into lan or dmz.> There was also a thread on the list a while back where I outlined how > the blacklist could be loaded *after* "shorewall start" had completed. > You might be able to take that approach to get your firewall up quicker.It''s exactly what I need, thanks. ---------------------------------------------> If you still wish to continue under the burden of your giant black list, > what you asked can be accomplished by: > > a) Including an empty blacklist file in /etc/shorewall > b) Having your real blacklist file in /etc/blacklist/blacklist > c) Placing the following commands in /etc/shorewall/start > > SHOREWALL_DIR=/etc/blacklist > blacklist_refresh > > If you update the blacklist and want to reload it, just enter this > command: > > shorewall -c /etc/blacklist refresh--------------------------------------------- Many thanks for yours effort pointing out a solution Ciao'' Mathieu --
mollo wrote:> On Tue, 11 May 2004 09:40:07 -0700 > Tom Eastep <teastep@shorewall.net> wrote: > > Hi Tom, > > >>This means that each successful new connection from the net must >>traverse 23512 rules!!!! > > > Yep and thanks to Harald Weld there is no side effect.Well... I''m betting that you have BLACKLISTNEWONLY=Yes in your shorewall.conf file and that your firewall would roll over and die if you set BLACKLISTNEWONLY=No> > >>But be warned that the dynamic blacklist is traversed for *every* new >>connections, not just those from the net. > > > Almost good for blocking spyware installed into lan or dmz. >No -- blacklisting only checks the *source* IP address. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
On Tue, 2004-05-11 at 20:05 +0200, mollo wrote:> On Tue, 11 May 2004 09:40:07 -0700 > Tom Eastep <teastep@shorewall.net> wrote: > > Hi Tom, > > > > > This means that each successful new connection from the net must > > traverse 23512 rules!!!! > > Yep and thanks to Harald Weld there is no side effect.If you really don''t want any traffic to/from these networks, why don''t you just NULL route them. Just use ''route add -host x.x.x.x reject''. You won''t get logs for any entries from it, but it may be less processing. If you are really going to have 23000+ entries, you should probably throw a little effort at putting some logic into aggregating the addresses so you can just block entire prefixes which will probably reduce the total entries by a decent amount. Just a thought.... -- David T Hollis <dhollis@davehollis.com>
On Tue, 11 May 2004 13:23:31 -0700 Tom Eastep <teastep@shorewall.net> wrote: Hi tom> > Well... I''m betting that you have BLACKLISTNEWONLY=Yes in your > shorewall.conf file and that your firewall would roll over and die if > you set BLACKLISTNEWONLY=NoStill in 1.4.10, I''ve started with shorewall 1.2 or 1.3, I suppose this setting was not in default conf.. So here the default value is assumed.. Chain blacklst (2 references) target prot opt source destination LOG all -- 104.76.38.0/23 0.0.0.0/0 limit: avg 2/sec burst 5 LOG flags 0 level 6 prefix `Shorewall:blacklst:DROP:'' DROP all -- 104.76.38.0/23 0.0.0.0/0> > No -- blacklisting only checks the *source* IP address. >Yes, source of course! Just kicking my $*%! ;-) Ciao'' Mathieu --
On Tue, 11 May 2004 20:30:09 -0400 David T Hollis <dhollis@davehollis.com> wrote: Hello David,> > Yep and thanks to Harald Weld there is no side effect. > > If you really don''t want any traffic to/from these networks, why don''t > you just NULL route them. Just use ''route add -host x.x.x.x reject''.That''s an idea.. And I''m just curious about the way linux will handle a routing table with 12.000 entries. That remember me the famous Win Freeze attack.. I''ll tell you the try.. But I will not use that because I need to log and never generate ICMP back trafic. Probably usefull for other usage.> You won''t get logs for any entries from it, but it may be less > processing. If you are really going to have 23000+ entries, you should > probably throw a little effort at putting some logic into aggregating > the addresses so you can just block entire prefixes which will probably > reduce the total entries by a decent amount. >23000 is LOG+DROP. There a half theses addrs. Ciao'' Mathieu
mollo wrote:> On Tue, 11 May 2004 13:23:31 -0700 > Tom Eastep <teastep@shorewall.net> wrote: > > Hi tom > > >>Well... I''m betting that you have BLACKLISTNEWONLY=Yes in your >>shorewall.conf file and that your firewall would roll over and die if >>you set BLACKLISTNEWONLY=No > > > Still in 1.4.10,BLACKLISTNEWONLY is available in 1.4.10 -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net